This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Internet of Things Project"
Craig Smith (talk | contribs) |
Craig Smith (talk | contribs) |
||
Line 192: | Line 192: | ||
= IoT Testing Guides = | = IoT Testing Guides = | ||
+ | |||
+ | == Tester IoT Security Guidance == | ||
+ | |||
+ | (DRAFT) | ||
+ | |||
+ | The goal of this page is to help testers assess IoT devices and applications in the Internet of Things space. The guidance below is at a basic level, giving testers of devices and applications a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product. | ||
+ | |||
+ | {| border="1" class="wikitable" style="text-align: left" | ||
+ | ! Category | ||
+ | ! IoT Security Consideration | ||
+ | |- | ||
+ | | '''I1: Insecure Web Interface''' | ||
+ | | | ||
+ | * Assess any web interface to determine if weak passwords are allowed | ||
+ | * Assess the account lockout mechanism | ||
+ | * Assess the web interface for XSS, SQLi and CSRF vulnerabilities and other web application vulnerabilities | ||
+ | * Assess the use of HTTPS to protect transmitted information | ||
+ | * Assess the ability to change the username and password | ||
+ | * Determine if web application firewalls are used to protect web interfaces | ||
+ | |- | ||
+ | | '''I2: Insufficient Authentication/Authorization''' | ||
+ | | | ||
+ | * Assess the solution for the use of strong passwords where authentication is needed | ||
+ | * Assess the solution for multi-user environments and ensure it includes functionality for role separation | ||
+ | * Assess the solution for Implementation two-factor authentication where possible | ||
+ | * Assess password recovery mechanisms | ||
+ | * Assess the solution for the option to require strong passwords | ||
+ | * Assess the solution for the option to force password expiration after a specific period | ||
+ | * Assess the solution for the option to change the default username and password | ||
+ | |- | ||
+ | | '''I3: Insecure Network Services''' | ||
+ | | | ||
+ | * Assess the solution to ensure network services don't respond poorly to buffer overflow, fuzzing or denial of service attacks | ||
+ | * Assess the solution to ensure test ports are are not present | ||
+ | |- | ||
+ | | '''I4: Lack of Transport Encryption''' | ||
+ | | | ||
+ | * Assess the solution to determine the use of encrypted communication between devices and between devices and the internet | ||
+ | * Assess the solution to determine if accepted encryption practices are used and if proprietary protocols are avoided | ||
+ | * Assess the solution to determine if a firewall option available is available | ||
+ | |- | ||
+ | | '''I5: Privacy Concerns''' | ||
+ | | | ||
+ | * Assess the solution to determine the amount of personal information collected | ||
+ | * Assess the solution to determine if collected personal data is properly protected using encryption at rest and in transit | ||
+ | * Assess the solution to determine if Ensuring data is de-identified or anonymized | ||
+ | * Assess the solution to ensure end-users are given a choice for data collected beyond what is needed for proper operation of the device | ||
+ | |- | ||
+ | | '''I6: Insecure Cloud Interface''' | ||
+ | | | ||
+ | * Assess the cloud interfaces for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces) | ||
+ | * Assess the cloud-based web interface to ensure it disallows weak passwords | ||
+ | * Assess the cloud-based web interface to ensure it includes an account lockout mechanism | ||
+ | * Assess the cloud-based web interface to determine if two-factor authentication is used | ||
+ | * Assess any cloud interfaces for XSS, SQLi and CSRF vulnerabilities and other vulnerabilities | ||
+ | * Assess all cloud interfaces to ensure transport encryption is used | ||
+ | * Assess the cloud interfaces to determine if the option to require strong passwords is available | ||
+ | * Assess the cloud interfaces to determine if the option to force password expiration after a specific period is available | ||
+ | * Assess the cloud interfaces to determine if the option to change the default username and password is available | ||
+ | |- | ||
+ | | '''I7: Insecure Mobile Interface''' | ||
+ | | | ||
+ | * Assess the mobile interface to ensure it disallows weak passwords | ||
+ | * Assess the mobile interface to ensure it includes an account lockout mechanism | ||
+ | * Assess the mobile interface to determine if it Implements two-factor authentication (e.g Apple's Touch ID) | ||
+ | * Assess the mobile interface to determine if it uses transport encryption | ||
+ | * Assess the mobile interface to determine if the option to require strong passwords is available | ||
+ | * Assess the mobile interface to determine if the option to force password expiration after a specific period is available | ||
+ | * Assess the mobile interface to determine if the option to change the default username and password is available | ||
+ | * Assess the mobile interface to determine the amount of personal information collected | ||
+ | |- | ||
+ | | '''I8: Insufficient Security Configurability''' | ||
+ | | | ||
+ | * Assess the solution to determine if password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication) are available | ||
+ | * Assess the solution to determine if encryption options (e.g. Enabling AES-256 where AES-128 is the default setting) are available | ||
+ | * Assess the solution to determine if logging for security events is available | ||
+ | * Assess the solution to determine if alerts and notifications to the user for security events are available | ||
+ | |- | ||
+ | | '''I9: Insecure Software/Firmware''' | ||
+ | | | ||
+ | * Assess the device to ensure it includes update capability and can be updated quickly when vulnerabilities are discovered | ||
+ | * Assess the device to ensure it uses encrypted update files and that the files are transmitted using encryption | ||
+ | * Assess the device to ensure is uses signed files and then validates that file before installation | ||
+ | |||
+ | |- | ||
+ | | '''I10: Poor Physical Security''' | ||
+ | | | ||
+ | * Assess the device to ensure it utilizes a minimal number of physical external ports (e.g. USB ports) on the device | ||
+ | * Assess the device to determine if it can be accessed via unintended methods such as through an unnecessary USB port | ||
+ | * Assess the device to determine if it allows for disabling of unused physical ports such as USB | ||
+ | * Assess the device to determine if it includes the ability to limit administrative capabilities to a local interface only | ||
+ | |} | ||
+ | |||
+ | ===General Recommendations=== | ||
+ | |||
+ | Consider the following recommendations for all user interfaces (local device, cloud-based and mobile): | ||
+ | * Avoid potential Account Harvesting issues by: | ||
+ | ** Ensuring valid user accounts can't be identified by interface error messages | ||
+ | ** Ensuring strong passwords are required by users | ||
+ | ** Implementing account lockout after 3 - 5 failed login attempts | ||
+ | |||
= Top IoT Vulnerabilities = | = Top IoT Vulnerabilities = |
Revision as of 21:20, 7 August 2015
OWASP Internet of Things (IoT) ProjectOxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.” The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies. The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities. LicensingThe OWASP Internet of Things Top 10 is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
|
What is the OWASP Internet of Things Project?The OWASP Internet of Things Project provides:
Project Leaders
Related Projects |
Email ListQuick DownloadNews and EventsClassifications |
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:
Attack Surface | Vulnerability |
---|---|
Ecosystem Access Control |
|
Device Memory |
|
Device Physical Interfaces |
|
Device Web Interface |
|
Device Firmware |
|
Device Network Services |
|
Administrative Interface |
|
Local Data Storage |
|
Cloud Web Interface |
|
Third-party Backend APIs |
|
Update Mechanism |
|
Mobile Application |
|
Vendor Backend APIs |
|
Ecosystem Communication |
|
Network Traffic |
|
Tester IoT Security Guidance
(DRAFT)
The goal of this page is to help testers assess IoT devices and applications in the Internet of Things space. The guidance below is at a basic level, giving testers of devices and applications a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product.
Category | IoT Security Consideration |
---|---|
I1: Insecure Web Interface |
|
I2: Insufficient Authentication/Authorization |
|
I3: Insecure Network Services |
|
I4: Lack of Transport Encryption |
|
I5: Privacy Concerns |
|
I6: Insecure Cloud Interface |
|
I7: Insecure Mobile Interface |
|
I8: Insufficient Security Configurability |
|
I9: Insecure Software/Firmware |
|
I10: Poor Physical Security |
|
General Recommendations
Consider the following recommendations for all user interfaces (local device, cloud-based and mobile):
- Avoid potential Account Harvesting issues by:
- Ensuring valid user accounts can't be identified by interface error messages
- Ensuring strong passwords are required by users
- Implementing account lockout after 3 - 5 failed login attempts